Cryptocat
I’m late writing about this one. Cryptocat is a web-based encrypted chat application. After Wired published a pretty fluffy profile on the program and its author, security researcher Chris Soghoian wrote an essay criticizing the unskeptical coverage. Ryan Singel, the editor (not the writer) of the Wired piece, responded by defending the original article and attacking Soghoian.
At this point, I would have considered writing a long essay explaining what’s wrong with the whole concept behind Cryptocat, and echoing my complaints about the dangers of uncritically accepting the security claims of people and companies that write security software, but Patrick Ball did a great job:
CryptoCat is one of a whole class of applications that rely on what’s called “host-based security”. The most famous tool in this group is Hushmail, an encrypted e-mail service that takes the same approach. Unfortunately, these tools are subject to a well-known attack. I’ll detail it below, but the short version is if you use one of these applications, your security depends entirely the security of the host. This means that in practice, CryptoCat is no more secure than Yahoo chat, and Hushmail is no more secure than Gmail. More generally, your security in a host-based encryption system is no better than having no crypto at all.
Sometimes it’s nice to come in late.
EDITED TO ADD (8/14): As a result of this, CryptoCat is moving to a browser plug-in model.
Reader • August 14, 2012 7:01 AM
Not sure I understand. Does this mean if CryptoCat and Yahoo hosts are equally “secure”, the unencrypted system is still only just as good as the encrypted?
It is pretty clear that a secure by design service with a vulnerability is certainly no better than a non-secure service without a vulnerability (if there is one – but given that let’s say the OS could perhaps be the same, then vulnerability would be shared between them). Is that the point here?